ClawHub

Tavily Web Search

v1.0.0

Real-time web search using Tavily API optimized for AI agents. Use when you need current information, recent news, factual research, competitive analysis, or...

5· 2.7k·3 current·3 all-time
byPatrick@moochmaniac
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included script: it calls a Tavily search endpoint and returns structured results. Requiring a Tavily API key is proportionate to the stated purpose. However the registry metadata lists no required env vars while the script expects an optional TAVILY_API_KEY env var or workspace secret — a minor inconsistency. No unrelated credentials or capabilities are requested.
!
Instruction Scope
The SKILL.md and script instruct the agent to read an API key from workspace/secrets or a relative secrets path or an environment variable — that is expected for an API-backed search. However the script has a logic bug: if none of the candidate secret files exist, secrets_path remains None and the subsequent os.path.exists(secrets_path) will raise an exception (TypeError), preventing the intended fallback to the TAVILY_API_KEY environment variable. Also the script references an odd duplicated path (~/.openclaw/workspace/workspace/...) that does not match the SKILL.md path text, which could cause confusion about where keys should be stored.
Install Mechanism
This is an instruction-only skill with a bundled Python script (no install spec). The script imports the third-party 'requests' library but the skill does not declare dependency installation instructions, which may lead to runtime failures if requests isn't available. No remote downloads or high-risk install behaviors are present.
Credentials
The only secret material the skill needs is a Tavily API key (file or TAVILY_API_KEY env var), which is proportional to a web search integration. The registry metadata claiming 'no required env vars' is inconsistent with the script/README which document TAVILY_API_KEY and workspace secret paths. The secret paths referenced are limited to workspace/relative locations rather than unrelated system credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and has normal user-invocable/autonomous invocation defaults. No elevated persistence or cross-skill configuration changes are present.
What to consider before installing
This skill is coherent with its stated purpose (Tavily web search) and not obviously malicious, but there are implementation issues you should address before trusting it: 1) Provide your Tavily API key (either set TAVILY_API_KEY or place the key at the path you control). Note the script looks for several paths and one path in the code ("~/.openclaw/workspace/workspace/secrets/...") does not match the SKILL.md — confirm which location will actually be used. 2) The script contains a bug: if no secret file is found, it will crash instead of falling back to the environment variable. Fix the os.path.exists(secrets_path) logic to guard when secrets_path is None. 3) Ensure the Python 'requests' package is installed in the runtime environment (the skill does not declare this dependency). 4) Verify you trust the Tavily service and its endpoint (https://api.tavily.com/search) because search queries and API key will be sent there. If you are not comfortable exposing queries or a key to that endpoint, do not install. If you plan to use it, either fix the code or run it in an isolated environment and supply the API key via a location you control.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xkhvbsft1fpmd3skkn720982e0ew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments